I am currently just finishing a undergrad computer science degree, but I know very little about computer security.

What are some good resources (aside from this site) to learn the fundamentals of security. I realise that good resources will probably vary depending on specifically what sort of security each is aimed at.

The question can be rephrased: If you were forced to employ someone in my situation (solid knowledge algorithms/data structures, a few languages and different programming paradigms and basic Unix knowledge), what would you make them read/learn?

11 Answers
11

You've got a lot of suggestions from the generous people at security.stackexchnage. However, I am also sharing one great source to learn about computer security. It is http://opensecuritytraining.info/, the tutorials here will clear most of your basics and you will be all set to move forward.

Other than that I would suggest you to look into the archives of various hacking conferences such as

Security engineering is about building systems to remain dependable in the
face of malice, error, or mischance. As a discipline, it focuses on the
tools, processes, and methods needed to design, implement, and test complete
systems, and to adapt existing systems as their environment evolve.

Learning how to secure something means you understand, at a deep level, how that thing works and what it's weaknesses are. Risk assessment is also a big part.

I'm sure there are plenty of links to be found to security sites, mailing lists and books, but it really all comes down to understanding the weaknesses of the system and assessing the possible threats.

Generally, the best resource to securing something will be that things manual and your own critical thinking.

There are a range of organisations who will not employ directly into security consulting or security audit roles unless you can evidence strong IT experience. This does help to build a more rounded, practical view of security in a real world operational environment, whereas sometimes when I have hired new graduates of security degrees they have required so much training in order to bring their ideas of security down from an 'ideal' but unworkable position to a practical level.

+1 for mentioning Safari books. I have a membership through my corporation and Im loving it. I would never go back! :) I also have my ipad hooked up to it making it easy to look up information anytime anywhere.
–
Chris DaleNov 24 '10 at 20:56

There is a huge variety of books on information security available for free. A simple google would make the deal in case you have the necessary topics!

Hereafter my personal recommendation as a must to enter to that world:

How to integrate security in software development lifecycle. You would get the Microsoft SDL (that would consume some of your time to read it and familiarize yourself with each topic separately), Building Security In (e.g. BSIMM...), security requirements, secure programming... With that you should cover (as i referred to the sub topics importance) security testing, fuzz testing, code review, ...

On the other hand you would need to learn the technology specific security solutions, like security for html frames..., access control models from the application layer until DBMS, security protocols and why are they used, security for web technologies and for RESTful web services or SOAP based web services.

That's a tough question to answer, because "Computer Security" is a very broad field--

If you are looking for just general computer security stuff, I would start following Richard Bejtlich, who has authored a couple very good network security & forensic books--But he also deals with the philosophical mindset of computer security--For instance, from the Tao of Network Security Monitoring:

“Security is the process of maintaining an acceptable level of perceived risk. A former director of education for the International Computer Security Association, Dr. Mitch Kabay, wrote in 1998 that “security is a process, not an end state.” No organization can be considered “secure” for any time beyond the last verification of adherence to its security policy. If your manager asks, “Are we secure?” you should answer, “Let me check.” If he or she asks, “Will we be secure tomorrow?” you should answer, “I don’t know.” Such honesty will not be popular, but this mind-set will produce greater success for the organization in the long run.”